Cybersecurity experts have recently uncovered a new strain of malware known as PG_MEM, specifically designed to mine cryptocurrency by exploiting vulnerabilities in PostgreSQL database instances. This malicious software employs brute-force tactics, wherein attackers repeatedly attempt to guess the database credentials, typically targeting systems with weak passwords.
According to Assaf Morag, a researcher at Aqua Security, the brute-force attacks compromise the PostgreSQL databases by exploiting weak authentication measures. Once attackers gain access, they can utilize the SQL command “COPY … FROM PROGRAM,” which allows them to execute arbitrary shell commands on the database host. This capability poses considerable risks, enabling malicious activities such as data theft and the deployment of additional malware.
The observed attack methodology involves targeting poorly configured PostgreSQL databases to establish an administrative role. Subsequently, attackers exploit the PROGRAM feature to execute shell commands, which facilitates further intrusion. A successful breach is typically followed by reconnaissance efforts, enabling the attackers to revoke superuser permissions from the “postgres” user. This act serves to restrict the potential privileges of other malicious actors who might gain access through similar means.
The malicious shell commands initiated by the attackers are designed to retrieve two payloads from a remote server, identified as “128.199.77[.]96.” These payloads, named PG_MEM and PG_CORE, have capabilities to terminate competing processes, establish persistence on the server, and ultimately deploy a Monero cryptocurrency miner. The exploitation of the PostgreSQL COPY command allows the attackers to run these commands indirectly and store the execution results within the database.
While the immediate goal of this campaign is cryptocurrency mining, the access granted to attackers also enables them to execute various commands, manipulate data, and exert control over the compromised server. Morag highlighted that this attack campaign predominantly targets PostgreSQL databases exposed to the internet and emphasizes the rampant issue of weak passwords often stemming from misconfigurations and insufficient identity management practices.
Adding to the cybersecurity landscape, Datadog Security Labs recently reported opportunistic attacks leveraging the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j. These attacks deploy obfuscated scripts capable of gathering system information while also installing XMRig miners and maintaining reverse shells for persistent remote access.
The focus on PostgreSQL database vulnerabilities exemplifies a critical area of concern for organizations, particularly those with internet-facing database setups. This underscores the importance of implementing robust security measures, including strong password policies and correct database configurations, to mitigate risks associated with such attacks.
In terms of tactics utilized, attackers have likely engaged in methods categorized under the MITRE ATT&CK framework, particularly in the areas of initial access and privilege escalation. Through brute-force exploits, attackers gain footholds within systems, while subsequent actions might include creating administrative roles and establishing persistent access, culminating in a significant security threat to affected organizations. As businesses continue to navigate the complexities of cybersecurity, awareness and proactive measures become paramount in safeguarding digital assets.
Source Link : https://thehackernews.com/2024/08/new-malware-pgmem-targets-postgresql.html
